<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>Restore a cluster’s security configuration | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'restore-security-configuration.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/restore-security-configuration.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/restore-security-configuration.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/restore-security-configuration.html" rel="nofollow" target="_blank">../en/restore-security-configuration.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="high-availability.html">Set up a cluster for high availability</a></span>
»
<span class="breadcrumb-link"><a href="backup-cluster.html">Back up a cluster</a></span>
»
<span class="breadcrumb-node">Restore a cluster’s security configuration</span>
</div>
<div class="navheader">
<span class="prev">
<a href="security-backup.html">« Back up a cluster’s security configuration</a>
</span>
<span class="next">
<a href="restore-cluster-data.html">Restore a cluster’s data »</a>
</span>
</div>
<div class="section">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="restore-security-configuration"></a>Restore a cluster’s security configuration<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/high-availability/backup-and-restore-security-config.asciidoc">edit</a>
</h2>
</div></div></div>

<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>You can restore a snapshot of the <code class="literal">.security</code> index only if it was
created in a previous minor version in the same major version. The last minor
version of every major release can convert and read formats of the index for
both its major version and the next one.</p>
</div>
</div>
<p>When you restore security configuration you have the option of doing a complete
restore of <span class="strong strong"><strong>all</strong></span> configurations, including non-security ones, or to only restore
the contents of the <code class="literal">.security</code> index. As described in
<a class="xref" href="security-backup.html#backup-security-index-configuration" title="Back up index-based security configuration">Back up index-based security configuration</a>, the second option comprises only
resource-type configurations. The first option has the advantage of restoring
a cluster to a clearly defined state from a past point in time. The second option
touches only security configuration resources, but it does not completely restore
the security features.</p>
<p>To restore your security configuration from a backup, first make sure that the
repository holding <code class="literal">.security</code> snapshots is installed:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">GET /_snapshot/my_backup</pre>
</div>
<div class="console_widget" data-snippet="snippets/1171.console"></div>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">GET /_snapshot/my_backup/snapshot_1</pre>
</div>
<div class="console_widget" data-snippet="snippets/1172.console"></div>
<p>Then log into one of the node hosts, navigate to Elasticsearch installation directory,
and follow these steps:</p>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
<p>Add a new user with the <code class="literal">superuser</code> built-in role to the
<a class="xref" href="file-realm.html" title="File-based user authentication">file realm</a>.</p>
<p>For example, create a user named <code class="literal">restore_user</code>:</p>
<div class="pre_wrapper lang-shell">
<pre class="programlisting prettyprint lang-shell">bin/elasticsearch-users useradd restore_user -p password -r superuser</pre>
</div>
</li>
<li class="listitem">
<p>Using the previously created user, delete the existing <code class="literal">.security-6</code> or
<code class="literal">.security-7</code> index.</p>
<div class="pre_wrapper lang-shell">
<pre class="programlisting prettyprint lang-shell">curl -u restore_user -X DELETE "localhost:9200/.security-*"</pre>
</div>
<div class="warning admon">
<div class="icon"></div>
<div class="admon_content">
<p>After this step any authentication that relies on the <code class="literal">.security</code>
index will not work. This means that all API calls that authenticate with
native or reserved users will fail, as will any user that relies on a native role.
The file realm user we created in the step above will continue to work
because it is not stored in the <code class="literal">.security</code> index and uses the built-in
<code class="literal">superuser</code> role.</p>
</div>
</div>
</li>
<li class="listitem">
<p>Using the same user, restore the <code class="literal">.security</code> index from the snapshot.</p>
<div class="pre_wrapper lang-shell">
<pre class="programlisting prettyprint lang-shell"> curl -u restore_user -X POST "localhost:9200/_snapshot/my_backup/snapshot_1/_restore" -H 'Content-Type: application/json' -d'
 {
    "indices": ".security-*",
    "include_global_state": true <a id="CO456-1"></a><i class="conum" data-value="1"></i>
 }
 '</pre>
</div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO456-1"><i class="conum" data-value="1"></i></a></p>
</td>
<td align="left" valign="top">
<p>The <code class="literal">include_global_state: true</code> is mandatory only for a complete restore.
This will restore the global cluster metadata, which contains configuration
information for the complete cluster. If you set this to <code class="literal">false</code>, it recovers
only the contents of the <code class="literal">.security</code> index, such as usernames and password
hashes, API keys, application privileges, role and role mapping definitions.</p>
</td>
</tr>
</table>
</div>
</li>
<li class="listitem">
Optionally, if you need to review and override the settings that were included
in the snapshot (by the <code class="literal">include_global_state</code> flag), cherry-pick and
<a class="xref" href="cluster-update-settings.html" title="Cluster update settings API">apply the persistent settings</a> that you
<a class="xref" href="backup-cluster-configuration.html" title="Back up a cluster’s configuration">have extracted</a> with the
<code class="literal">GET _cluster/settings</code> API.
</li>
<li class="listitem">
<p>If you pursue a complete point in time restore of the cluster, you also have
to restore configuration files. Again, this will restore non-security settings as
well.</p>
<p>This entails a straight-up filesystem copy of the backed up configuration files,
overwriting the contents of <code class="literal">$ES_PATH_CONF</code>, and restarting the node. This
needs to be done on <span class="strong strong"><strong>every node</strong></span>. Depending on the extent of the differences
between your current cluster configuration and the restored configuration, you
may not be able to perform a rolling restart. If you are performing a full
restore of your configuration directory, we recommend a full cluster restart as
the safest option. Alternatively, you may wish to restore your configuration
files to a separate location on disk and use file comparison tools to review
the differences between your existing configuration and the restored
configuration.</p>
</li>
</ol>
</div>
</div>
<div class="navfooter">
<span class="prev">
<a href="security-backup.html">« Back up a cluster’s security configuration</a>
</span>
<span class="next">
<a href="restore-cluster-data.html">Restore a cluster’s data »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>